Posts Tagged ‘DSRM Password’

Directory Services Restore Mode (DSRM) is a special boot option similar to Safe Mode in Windows. But this mode is only applicable to Windows Server domain controllers and it is used to restore or repair an Active Directory database. If there is a need to repair or restore Active Directory database, DSRM has to be used. Restarting in Directory Services Restore Mode takes the domain controller offline, meaning it functions as a regular server, not as a domain controller.

Boot into Directory Services Restore Mode

If you have physical access to a domain controller, you can access the Directory Services Restore Mode easily. Simply turn on or restart the computer and press F8 prior to the machine booting into Windows, the system will display the Advanced Boot Options.

Choose the Directory Services Restore Mode from the menu and press Enter. The server will then boot into Directory Services Restore Mode.

Directory Services Restore Mode Password

Generally when you run the DCPROMO command to promote an individual server to a domain controller, the install wizard will prompt you to set a Directory Services Restore Mode password. This password is actually for the built-in local administrator account. In order to boot into Directory Services Restore Mode, you need to use the local administrator account along with the DSRM password to get past the Windows logon screen.

It is very important to know what the DSRM password is. The DSRM password provides the administrator with a back door to boot into Directory Services Restore Mode for performing maintenance and recovery tasks. This account is often forgotten by most AD administrators, which results in a significant security risk. If exploited, this security risk can cause high impact.

The DSRM password should be changed on a regular basis. Because the DSRM password can be used to log on in Directory Services Restore Mode, and in this mode the tasks that can be performed are significant, an exploit of the DSRM account can be extremely detrimental to your AD DS forest.